Application signature authorization

ABSTRACT

An appliance works in conjunction with an agent on a remote device to control application access to a corporate network. In conjunction with an SSL tunnel and policy operating at the appliance, granular application control may be implemented. In particular, a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network. The applications may be analyzed to determine whether the application is good or bad, as what security configurations, approvals and denials are associated with the application.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the priority benefit of U.S. ProvisionalApplication Ser. No. 61/973,248, titled “Mobile Connect,” filed Mar. 31,2014, the disclosure of which is incorporated herein by reference.

BACKGROUND OF THE INVENTION

Consumers continue to push for a mechanism that allows them to use theirown device to perform typical work tasks. In most cases, these devicesare owned by the individual user, which means the company may have zerocontrol over them. Because companies have little if any control overthese user devices, there is concern regarding providing the deviceaccess to corporate remote networks due to the potential for attacksvectors (nefarious applications, leaking, tampering, or otherwisedisclosing of critical intellectual property owned by company). Themarket has coined the term “unmanaged device” or “BYOD” (bring your owndevice) to represent any device that is not owned or controlled by thecompany that needs access to the corporate network so the employee cando their work. In most cases, this device is owned by the employeerequesting access. Some companies require employee devices to be putunder mobile device management (MDM) control before allowed onto thecorporate network, but such a configuration is not really zero control.

Most mobile solutions are all or nothing—all data is shared or no datais shared with respect to a corporate intranet (i.e., an appliance basednetwork). With the advent of BYOD, users need to access the corporateintranet but do not want their personal information to be available tothe corporate intranet. Likewise, the corporate intranet may not want torisk exposure to certain content on the user device that is not germane(or appropriate) for the corporate network.

Secure communication with a corporate network can be achieved throughvirtual private network (VPN) connections. Current VPN clients thatprovide application level control block traffic in that VPN applicationrunning on the client device. For example, some companies provide aper-app VPN solution. Despite current VPN per application solutions,there are still concerns regarding the vulnerability of corporatenetwork access from personal user devices.

There is a need in the art for managing access to corporate networks byuser's personal devices that identifies the health of applicationsgranted access to the network.

SUMMARY OF THE CLAIMED INVENTION

An appliance works in conjunction with an agent on a remote device tocontrol application access to a corporate network. In conjunction withan SSL tunnel and policy operating at the appliance, granularapplication control may be implemented. In particular, a device user maydetermine what applications from a set of applications may access thecorporate network and which applications do not access the network. Theapplications may be analyzed to determine whether the application isgood or bad, as what security configurations, approvals and denials areassociated with the application.

An embodiment may include a method for establishing a connection. Themethod may include establishing a connection between a user clientdevice and a server, the user client device having a plurality ofapplications. Application information derived from the application maybe received for one of the plurality of applications from the userclient device. Traffic may be processed for the application of theplurality of applications based on the application information derivedfrom the application.

In an embodiment, a system for establishing a connection may include aserver in communication with a user client device. The server mayinclude a processor, memory, and one or more applications stored inmemory at the server and executable by the processor to establish aconnection between a user client device and a server, the user clientdevice having a plurality of applications, receive applicationinformation derived from the application for one of the plurality ofapplications from the user client device, and process traffic for theapplication of the plurality of applications based on the applicationinformation derived from the application.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a block diagram of a client communicating with aremote server.

FIG. 2 illustrates a block diagram of a client having an agent.

FIG. 3 illustrates a method for generating a code signature.

FIG. 4 illustrates a method for collecting application traffic data.

FIG. 5 is a block diagram of an exemplary system for implementing acomputing device.

DETAILED DESCRIPTION

An appliance works in conjunction with an agent on a remote device tocontrol application access to a corporate network. In conjunction withan SSL tunnel and policy operating at the appliance, granularapplication control may be implemented. In particular, a device user maydetermine what applications from a set of applications may access thecorporate network and which applications do not access the network. Theapplications may be analyzed to determine whether the application isgood or bad, as what security configurations, approvals and denials areassociated with the application.

Consumers continue to push for a mechanism that allows them to use theirown device to perform typical work tasks. In most cases, these devicesare owned by the individual user, which means the company may have zerocontrol over them. Because companies have little if any control overthese user devices, there is concern regarding providing the deviceaccess to corporate remote networks due to the potential for attacksvectors (nefarious applications, leaking, tampering, or otherwisedisclosing of critical intellectual property owned by company). Themarket has coined the term “unmanaged device” or “BYOD” (bring your owndevice) to represent any device that is not owned or controlled by thecompany that needs access to the corporate network so the employee cando their work. In most cases, this device is owned by the employeerequesting access. Some companies require employee devices to be putunder mobile device management (MDM) control before allowed onto thecorporate network, but such a configuration is not really zero control.

Most mobile solutions are all or nothing—all data is shared or no datais shared with respect to a corporate intranet (i.e., an appliance basednetwork). With the advent of BYOD, users need to access the corporateintranet but do not want their personal information to be available tothe corporate intranet. Likewise, the corporate intranet may not want torisk exposure to certain content on the user device that is not germane(or appropriate) for the corporate network.

Secure communication with a corporate network can be achieved throughvirtual private network (VPN) connections. Current VPN clients thatprovide application level control block traffic in that VPN applicationrunning on the client device. For example, some companies provide aper-app VPN solution. Despite current VPN per application solutions,there are still concerns regarding the vulnerability of corporatenetwork access from personal user devices.

FIG. 2 illustrates a method for providing application access to anetwork. A VPN connection is established between the tunnel server andan agent 240 on the client at step 205. The agent may initiate the VPNestablishment by sending a VPN request to the VPN appliance.

A user is authenticated at step 210. User authentication is performed toidentify the user of the device. A user device is then classified todetermine if it meets acceptable parameters at step 215. After the userauthenticates, the system will attempt to verify the user's deviceverify the device. In some instances, an administrator defines a set ofdevice attributes, and the system may attempt to find a set ofattributes that match the device. Classification of the device mayinclude retrieval of a unique equipment identifier along with otherdevice attribute data. The unique equipment identifier and deviceattribute data may be collected by an agent and transmitted to policyserver 134. The attribute data may be used by the policy server todetermine if client device 110 may allow for application control by thepolicy server via the agent.

Once the user is authenticated and the device is classified, the datastore is queried to determine if a matching entry for the user anddevice exist. If the user and device combination are found in the datastore, then the user and device have established a connection with thecorporate network before and the version of the user agreementpreviously agreed to by the user is checked against the most recentversion. If the most recent user agreement has not changed from thestored user agreement for the user and device combination, then thepresent system does not provide the user with the same user agreementand a portion of or all of step 220 (and corresponding method of FIG. 4)will not per performed for the current session.

If the device requires a new user agreement to be accepted, eitherbecause the user and device combination is not found in the data storeor the current version of the user agreement does not match the storedversion of the user agreement, the method continues to step 220.

User acceptance of a user agreement is verified at step 220. Once a useraccepts a user agreement, the user may be authorized for the corporatenetwork access. In some embodiments, a policy server determinesauthorization of the user, device, and checks access permissions. Thepolicy allows for application access to particular data for a particulardevice type and user type. Once the user has accepted the useragreement, the user may be authorized to access a corporate network.

Application traffic may be transmitted to the corporate network at step225. An agent on the client device may monitor communication data andprovide information to the user of the device regarding whatapplications are communicating with the corporate network.

Immediately before an application starts a new flow of communicationwith the VPN appliance, the agent running on the client device willcommunicate application identifying information to the VPN appliance;this information includes an application identifier as well as a codesignature for that application. The code signature may be in the form ofa hash. Generating a code signature and processing data associated witha code signature is discussed with respect to the method of FIG. 4.

An agent on the client device may monitor communication data and provideinformation to the user of the device regarding what applications arecommunicating with the corporate network. From this information, theuser may determine if only authorized applications are communicatingwith the corporate network and if the authorized applications arecommunicating appropriately.

Data may be stored for application auditing or other purposes at step230. Application communication with a server may be analyzed or auditedat some point in time. By collecting data for the applicationcommunication with the server, a user may determine if the applicationis complying with any relevant policies or requirements. Storing datafor subsequent auditing is discussed in more detail below with respectto FIG. 4.

FIG. 3 illustrates a method for generating a code signature. Applicationinformation to be hashed is accessed at step 305. Information to behashed may be accessed while the application is running or not running.The hash may be created from one or more of a binary of the application,application signature certificate, application identifier, and version.In some instances, the hash may use SHA-256 to compute: a hash of [hashof (Application Signature certificate)+hash of (AppID)+hash of(Version)].

The present code signature has a high degree of security in that thepolicy server doesn't provide the hash it is looking for to the client.It is very hard to guess the hash that will match the one stored at theVPN appliance. Additionally, the present system that is used to classifythe users device into the proper policy set can determine if the clientdevice is jail broken/rooted and the device can be prevented from theusing the network at all. The methodology for generating the hash forthe application may vary.

A hash may be performed on the application information by the agent atstep 310. The hash may be performed in any of several ways known in theart. Once the application information is hashed, the hash is transmittedby the agent to the server at step 315.

The server receives the hash and determines if the hash corresponds to agood application at step 320. To determine if the application is a“good” application, the server may look up the hash in a table of hashesand corresponding application information identifying the applicationassociated with the hash as an exact match or not. A good applicationmay be one that is secure and authorized to communicate with a corporatenetwork through a VPN handling traffic between a user device and thecorporate network. If the hash does not correspond to a goodapplication, traffic associated with the application may be denied. Forexample, if the binary hash is performed during applicationauthentication, and the hash is determined to not be associated with agood application, an authentication request for the application may bedenied. If the binary file hash is provided along with traffic to thetunnel server, the traffic may be blocked if the hash is determined tonot correspond with a good application.

In some instances, if the server configuration requires hash matching,then the client agent will send the hash value along with theapplication identifier to the server. If the hash is expected and notprovided the server will immediately deny the traffic.

In some instances, hash checking is optional, and the server may beconfigured to “allow any version” in which case no hash information isneeded. With this configuration, the server will not verify any hashthat is sent against values in the configuration. The choice to performthis hash verification can be configured per application and clientplatform. Hence, the server may be configured to require hashing for theapplication “Thunderbird” on Android platform, but not for the“Thunderbird” application on iOS platform.

FIG. 4 illustrates a method for collecting application traffic data. Anapplication identifier (e.g., “com.apple.safari”) is sent by the agenton the client device to the VPN appliance with the code signature (e.g.,hash value) at step 405. The combination of the application ID and thehash value may allow the VPN appliance to determine if an application isa valid and trusted version of a particular client application. In someinstances, the application identifier and hash value are used to look-upa particular application in our policy rules for an access check.

A determination is made as to whether to grant the request from theapplication access at step 415. To make the determination, the VPNappliance adds the application identifier to the other standard flowattributes as well as information already known about the connection todetermine if the request should be granted access. This informationincludes, but is not limited to: Application, User, device capabilities(zone), time of access, and network destination address and port.

All or part of application traffic information collected and/or accessedin steps 405-410 may be compared to application traffic policies todetermine compliance at step 425. The policy rules are not visible tothe users, they can only see the results of an access attempt, it worksor it does not.

In some instances, in addition to identifying trusted applications asdiscussed above, the present system includes logic to help it learn howto identify trusted applications. A particular device identified can beplaced on a trusted devices list based on its equipment identifier. Ifan access request is made from an application that does not match aknown hash, but came from a trusted device on the trusted devices list,then the application identifier, version, and hash value will be storedin the datastore.

The administrator of the VPN appliance may access a list of all failedrequests from trusted devices and may add them to the list of hashvalues that are acceptable for that application in the configuration. Insome instances, a global flag on the appliance may be set toenable/disable application learning. If application learning isdisabled, then trusted devices act exactly the same as normal devices.

In some instances, when a trusted device connects to the VPN appliance,the list of applications may include all applications that areconfigured for access on the VPN appliance. For normal untrusteddevices, only those applications that the user can use in the currentsession context to access resources on the corporate network will besent to the client for presentation to the user.

In some instances, when an inside application or application from onedevice tries to connect to another device, inverse communication occurs.In this instance, the system has the IP address:port where theapplication needs to connect to but needs to check if an authorizedapplication is running on IP address:port on the client. In such case,tunnel protocol messages are sent to a mobile connect agent from theaccess gateway asking for application details of application listeningon IP address:port. Mobile Connect agent will get a response ofNOT_FOUND or the Application ID and digital signature back. This allowsan access gateway to determine if the flow is going to an authorizedapplication.

FIG. 5 is a block diagram of an exemplary system for implementing acomputing device. System 500 of FIG. 5 may be implemented in thecontexts of the likes of client device 110, VPN appliance 130 andcorporate server 142. The computing system 500 of FIG. 5 includes one ormore processors 510 and memory 520. Main memory 510 stores, in part,instructions and data for execution by processor 510. Main memory 520can store the executable code when in operation. The system 500 of FIG.5 further includes a mass storage device 530, portable storage mediumdrive(s) 540, output devices 550, user input devices 560, a graphicsdisplay 570, and peripheral devices 580.

The components shown in FIG. 5 are depicted as being connected via asingle bus 590. However, the components may be connected through one ormore data transport means. For example, processor unit 510 and mainmemory 520 may be connected via a local microprocessor bus, and the massstorage device 530, peripheral device(s) 580, portable storage device540, and display system 570 may be connected via one or moreinput/output (I/O) buses.

Mass storage device 530, which may be implemented with a magnetic diskdrive or an optical disk drive, is a non-volatile storage device forstoring data and instructions for use by processor unit 510. Massstorage device 530 can store the system software for implementingembodiments of the present invention for purposes of loading thatsoftware into main memory 520.

Portable storage device 540 operates in conjunction with a portablenon-volatile storage medium, such as a floppy disk, compact disk orDigital video disc, to input and output data and code to and from thecomputer system 500 of FIG. 5. The system software for implementingembodiments of the present invention may be stored on such a portablemedium and input to the computer system 500 via the portable storagedevice 540.

Input devices 560 provide a portion of a user interface. Input devices560 may include an alpha-numeric keypad, such as a keyboard, forinputting alpha-numeric and other information, or a pointing device,such as a mouse, a trackball, stylus, or cursor direction keys.Additionally, the system 500 as shown in FIG. 5 includes output devices550. Examples of suitable output devices include speakers, printers,network interfaces, and monitors.

Display system 570 may include a liquid crystal display (LCD) or othersuitable display device. Display system 570 receives textual andgraphical information, and processes the information for output to thedisplay device.

Peripherals 580 may include any type of computer support device to addadditional functionality to the computer system. For example, peripheraldevice(s) 580 may include a modem or a router.

The components contained in the computer system 500 of FIG. 5 are thosetypically found in computer systems that may be suitable for use withembodiments of the present invention and are intended to represent abroad category of such computer components that are well known in theart. Thus, the computer system 500 of FIG. 5 can be a personal computer,hand held computing device, telephone, mobile computing device,workstation, server, minicomputer, mainframe computer, or any othercomputing device. The computer can also include different busconfigurations, networked platforms, multi-processor platforms, etc.Various operating systems can be used including Unix, Linux, Windows,Macintosh OS, Palm OS, iOS, Android and other suitable operatingsystems.

The foregoing detailed description of the technology herein has beenpresented for purposes of illustration and description. It is notintended to be exhaustive or to limit the technology to the precise formdisclosed. Many modifications and variations are possible in light ofthe above teaching. The described embodiments were chosen in order tobest explain the principles of the technology and its practicalapplication to thereby enable others skilled in the art to best utilizethe technology in various embodiments and with various modifications asare suited to the particular use contemplated. It is intended that thescope of the technology be defined by the claims appended hereto.

What is claimed is:
 1. A method for establishing a connection,comprising: establishing a connection between a user client device and aserver, the user client device having a plurality of applications;receiving application information derived from the application for oneof the plurality of applications from the user client device; andprocessing traffic for the application of the plurality of applicationsbased on the application information derived from the application. 2.The method of claim 1, wherein the application information includes ahash.
 3. The method of claim 2, wherein a failed request to access acorporate network is detected from a trusted user and client devicepair.
 4. The method of claim 3, wherein the application hash values areadded to the application information for the request, wherein subsequentrequests having the hash value of the application will be denied.
 5. Themethod of claim 2, wherein the hash is created from an applicationinformation.
 6. The method of claim 5, wherein the application hashchanges based on changes to the application information.
 7. The methodof claim 1, further including: comparing the hash to a table ofapplication hashes and corresponding application classifications; andprocessing traffic for the application based on the applicationclassification.
 8. The method of claim 7, wherein processing trafficincludes blocking application traffic if the application is classifiedas a bad application.
 9. The method of claim 7, wherein processingtraffic includes allowing application traffic if the application isclassified as a good application.
 10. The method of claim 1, furthercomprising: collecting application level information; and comparingapplication level information to an application policy to determinecompliance of the application.
 11. The method of claim 1, furthercomprising: determining the application information does not satisfy apolicy rule; and processing traffic for the application of the pluralityof applications based on the application information corresponding to atrusted application.
 12. The method of claim 10, further comprisingadding a code signature for the trusted application to a list of codesignatures that are acceptable for the trusted application.
 13. Anon-transitory computer readable storage medium having embodied thereona program, the program being executable by a processor to perform amethod for establishing a connection, the method comprising:establishing a connection between a user client device and a server, theuser client device having a plurality of applications; receivingapplication information derived from the application for one of theplurality of applications from the user client device; and processingtraffic for the application of the plurality of applications based onthe application information derived from the application.
 14. Thenon-transitory computer readable storage medium of claim 13, wherein theapplication information includes a hash.
 15. The method of claim 14,wherein a failed request to access a corporate network is detected froma trusted user and client device pair.
 16. The method of claim 15,wherein the application hash values are added to the applicationinformation for the request, wherein subsequent requests having the hashvalue of the application will be denied.
 17. The non-transitory computerreadable storage medium of claim 13, wherein the hash is created from anapplication information.
 18. The method of claim 17, wherein theapplication hash changes based on changes to the applicationinformation.
 19. The non-transitory computer readable storage medium ofclaim 13, further including: comparing the hash to a table ofapplication hashes and corresponding application classifications; andprocessing traffic for the application based on the applicationclassification.
 20. The non-transitory computer readable storage mediumof claim 19, wherein processing traffic includes blocking applicationtraffic if the application is classified as a bad application.
 21. Thenon-transitory computer readable storage medium of claim 19, whereinprocessing traffic includes allowing application traffic if theapplication is classified as a good application.
 22. The non-transitorycomputer readable storage medium of claim 13, further comprising:collecting application level information; and comparing applicationlevel information to an application policy to determine compliance ofthe application.
 23. The non-transitory computer readable storage mediumof claim 13, further comprising: determining the application informationdoes not satisfy a policy rule; and processing traffic for theapplication of the plurality of applications based on the applicationinformation corresponding to a trusted application.
 24. Thenon-transitory computer readable storage medium of claim 23, furthercomprising adding a code signature for the trusted application to a listof code signatures that are acceptable for the trusted application. 25.A system for establishing a connection, the system including: a serverin communication with a user client device, the server including aprocessor, memory, and one or more applications stored in memory at theserver and executable to establish a connection between a user clientdevice and a server, the user client device having a plurality ofapplications, receive application information derived from theapplication for one of the plurality of applications from the userclient device, and process traffic for the application of the pluralityof applications based on the application information derived from theapplication.
 26. The system of claim 25, wherein the applicationinformation includes a hash.
 27. The method of claim 26, wherein afailed request to access a corporate network is detected from a trusteduser and client device pair.
 28. The method of claim 27, wherein theapplication hash values are added to the application information for therequest, wherein subsequent requests having the hash value of theapplication will be denied.
 29. The system of claim 26, wherein the hashis created from an application information.
 30. The method of claim 29,wherein the application hash changes based on changes to the applicationinformation.
 31. The system of claim 25, the one or more applicationsfurther executable to: compare the hash to a table of application hashesand corresponding application classifications; and process traffic forthe application based on the application classification.
 32. The systemof claim 31, the one or more applications further executable to blockapplication traffic if the application is classified as a badapplication.
 33. The system of claim 25, the one or more applicationsfurther executable to allow application traffic if the application isclassified as a good application.
 34. The system of claim 25, the one ormore applications further executable to: collect application levelinformation; and compare application level information to an applicationpolicy to determine compliance of the application.
 35. The system ofclaim 25, the one or more applications further executable to determinethe application information does not satisfy a policy rule and processtraffic for the application of the plurality of applications based onthe application information corresponding to a trusted application. 36.The system of claim 25, the one or more applications further executableto add a code signature for the trusted application to a list of codesignatures that are acceptable for the trusted application.